Chapter 19
When he called back, she said: "Oh, yes. Well, there's just two. Anna Myrtle, in Finance, she's a secretary. And that new VP, Mr. Underwood."
"And the phone numbers?"
"Right Okay, Mr. Underwood is 6973. Anna Myrtle is 2127."
"Hey, you've been a big help. "thanks."
Anna's Call "Finance, Anna speaking."
"I'm glad I found somebody working late. Listen, this is Ron Vittaro, I'm publisher of the business division. I don't think we've been introduced. Welcome to the company."
"Oh, thank you."
"Anna, I'm in Los Angeles and I've got a crisis. I need to take about ten minutes of your time."
"Of course. What do you need?"
"Go up to my office. Do you know where my office is?
"No."
"Okay, it's the corner office on the fifteenth floor-room 1502. I'll call you there in a few minutes. When you get to the office, you'll need to press the forward b.u.t.ton on the phone so my call won't go directly to my voice mail."
"Okay, I'm on my way now."
Ten minutes later she was in his office, had cancelled his call forwarding and was waiting when the phone rang. He told her to sit down at the computer and launch Internet Explorer. When it was running he told her to type in an address: www.geocities.com/ron-insen/ma.n.u.script.doc.exe.
A dialog box appeared, and he told her to click Open. The computer appeared to start downloading the ma.n.u.script, and then the screen went blank. When she reported that something seemed to be wrong, he replied, "Oh, no. Not again. I've been having a problem with downloading from that Web site every so often but I thought it was fixed. Well, okay, don't worry, I'll get the file another way later."
Then he asked her to restart his computer so he could be sure it would start up properly after the problem she had just had. He talked her through the steps for rebooting.
When the computer was running again properly, he thanked her warmly and hung up, and Anna went back to the Finance department to finish the job she had been working on.
Kurt Dillon's Story Millard-Fenton Publishers was enthusiastic about the new author they were just about to sign up, the retired CEO of a Fortune 500 company who had a fascinating story to tell. Someone had steered the man to a business manager for handling his negotiations. The business manager didn't want to admit he knew zip about publis.h.i.+ng contracts, so he hired an old friend to help him figure out what he needed to know. The old friend, unfortunately, was not a very good choice.
Kurt Dillon used what we might call unusual methods in his research, methods not entirely ethical.
Kurt signed up for a free site on Geocities, in the name of Ron Vittaro, and loaded a spy-ware program onto the new site. He changed the name of the program to ma.n.u.script.doc.exe, so the name would appear to be a Word doc.u.ment and not raise suspicion. In fact, this worked even better than Kurt had antic.i.p.ated; because the real Vittaro had never changed a default setting in his Windows operating system called "Hide file extensions for known file types."
Because of that setting the file was actually displayed with the name ma.n.u.script.doc.
Then he had a lady friend call Vittaro's secretary. Following Dillon's coaching, she said, "I'm the executive a.s.sistant to Paul Spadone, president of Ultimate Bookstores, in Toronto. Mr. Vittaro met my boss at a book fair a while back, and asked him to call to discuss a project they might do together. Mr. Spadone is on the road a lot, so he said I should find out when Mr. Vittaro will be in the office."
By the time the two had finished comparing schedules, the lady friend had enough information to provide the attacker with a list of dates when Mr. Vittaro would be in the office. Which meant he also knew when Vittaro would be out of the office. It hadn't required much extra conversation to find out that Vittaro's secretary would be taking advantage of his absence to get in a little skiing. For a short span of time, both would be out of the office. Perfect.
LINGO.
SPYWARE Specialized software used to covertly monitor a targets computer activities. One form used to track the sites visited by internet shoppers so that online advertis.e.m.e.nts can be tailored to their surfing habits. The other form is a.n.a.logous to a wiretap, except that the target device is a computer. The software captures the activities of the user, including pa.s.swords and keystrokes typed, email, chat conversations, instant messenger, all the web sites visited, and screenshots of the display screen. Specialized software used to covertly monitor a targets computer activities. One form used to track the sites visited by internet shoppers so that online advertis.e.m.e.nts can be tailored to their surfing habits. The other form is a.n.a.logous to a wiretap, except that the target device is a computer. The software captures the activities of the user, including pa.s.swords and keystrokes typed, email, chat conversations, instant messenger, all the web sites visited, and screenshots of the display screen.
LINGO.
SILENT INSTALL A method of installing a software application without the computer user or operator being aware that such a action is taking place. A method of installing a software application without the computer user or operator being aware that such a action is taking place.
The first day they were supposed to be gone he placed a pretext urgent call just to make sure, and was told by a receptionist that "Mr. Vittaro is not in the office and neither is his secretary. Neither of them is expected any time today or tomorrow or the next day."
His very first try at conning a junior employee into taking part in his scheme was successful, and she didn't seem to blink an eye at being told to help him by downloading a "ma.n.u.script," which was actually a popular, commercially available spyware program that the attacker had modified for a silent install.
Using this method, the installation would not be detected by any antivirus software. For some strange reason, antivirus manufacturers do not market products that will detect commercially available spyware.
Immediately after the young woman had loaded the software onto Vittaro's computer, Kurt went back up to the Geocities site and replaced the doc.exe file with a book ma.n.u.script he found on the Internet. Just in case anyone stumbled on the ruse and returned to the site to investigate what had taken place, all they'd find would be an innocuous, amateurish, un-publishable book ma.n.u.script.
Once the program had been installed and the computer rebooted, it was set to immediately become active. Ron Vittaro would return to town in a few days, start to work, and the spyware would begin forwarding all the keystrokes typed on his computer, including all outgoing emails and screen shots showing what was displayed on his screen at that moment. It would all be sent at regular intervals to a free email service provider in the Ukraine.
Within a few days after Vittaro's return, Kurt was plowing through the log files piling up in his Ukrainian mailbox and before long had located confidential emails that indicated just how far Millard-Fenton Publis.h.i.+ng was willing to go in making a deal with the author. Armed with that knowledge, it was easy for the author's agent to negotiate much better terms than originally offered, without ever running the risk of losing the deal altogether. Which, of course, meant a bigger commission for the agent.
a.n.a.lyzing the Con In this ruse, the attacker made his success more likely by picking a new employee to act as his proxy, counting on her being more willing to cooperate and be a team player, and being less likely to have knowledge of the company, its people, and good security practices which could thwart the attempt.
Because Kurt was pretexting as a vice president in his conversation with Anna, a clerk in Finance, he knew that it would be very unlikely that she would question his authority. On the contrary, she might entertain the thought that helping a VP could gain her favor.
And the process he walked Anna through that had the effect of installing the spyware appeared innocuous on its face. Anna had no idea that her seemingly innocent actions had set an attacker up to gain valuable information that could be used against the interests of the company.
And why did he choose to forward the VP's message to an email account in the Ukraine? For several reasons a far-off destination makes tracing or taking action against an attacker much less likely. These types of crimes are generally considered low priority in countries like this, where the police tend to hold the view that committing a crime over the Internet isn't a noteworthy offense. For that reason, using email drops in countries that are unlikely to cooperate with U.S. law enforcement is an attractive strategy.
PREVENTING THE CON.
A social engineer will always prefer to target an employee who is unlikely to recognize that there is something suspicious about his requests. It makes his job not only easier, but also less risky--as the stories in this chapter ill.u.s.trate.
MITNICK MESSAGE.
Asking a co-worker or subordinate to do a favor is a common practice. Social engineers know how to exploit people's natural desire to help and be a team player. An attacker exploits this positive human trait to deceive unsuspecting employees into performing actions that advance him toward his goal. It's important to understand this simple concept so you will be more likely to recognize when another person is trying to manipulate you.
Deceiving the Unwary I've emphasized earlier the need to train employees thoroughly enough that they will never allow themselves to be talked into carrying out the instructions of a stranger. All employees also need to understand the danger of carrying out a request to take any action on another person's computer. Company policy should prohibit this except when specifically approved by a manager. Allowable situations include: When the request is made by a person well known to you, with
When you positively verify the ident.i.ty of the requestor through approved procedures.
When the action is authorized by a supervisor or other person in authority who is personally familiar with the requestor.
Employees must be trained not to a.s.sist people they do not personally know, even if the person making the request claims to be an executive. Once security policies concerning verification have been put in place, management must support employees in adhering to these policies, even when it means that an employee challenges a member of the executive staff who is asking the employee to circ.u.mvent a security policy.
Every company also needs to have policies and procedures that guide employees in responding to requests to take any action with computers or computer-related equipment. In the story about the publis.h.i.+ng company, the social engineer targeted a new employee who had not been trained on information security policies and procedures. To prevent this type of attack, every existing and new employee must be told to follow a simple rule: Do not use any computer system to perform an action requested by a stranger. Period.
Remember that any employee who has physical or electronic access to a computer or an item of computer-related equipment is vulnerable to being manipulated into taking some malicious action on behalf of an attacker.
Employees, and especially IT personnel, need to understand that allowing an outsider to gain access to their computer networks is like giving your bank account number to a telemarketer or giving your telephone calling card number to a stranger in jail. Employees must give thoughtful attention to whether carrying out a request can lead to disclosure of sensitive information or the compromising of the corporate computer system.
IT people must also be on their guard against unknown callers posing as vendors.
In general, a company should consider having specific people designated as the contacts for each technology vendor, with a policy in place that other employees will not respond to vendor requests for information about or changes to any telephone or computer equipment. That way, the designated people become familiar with the vendor personnel who call or visit, and are less likely to be deceived by an imposter. If a vendor calls even when the company does not have a support contract, that should also raise suspicions.
Everyone in the organization needs to be made aware of information security threats and vulnerabilities. Note that security guards and the like need to be given not just security training, but training in information security, as well. Because security guards frequently have physical access to the entire facility, they must be able to recognize the types of social engineering attacks that may be used against them.
Beware Spyware Commercial spyware was once used mostly by parents to monitor what their children were doing on the Internet, and by employers, supposedly to determine which employees were goofing off by surfing the Internet. A more serious use was to detect potential theft of information a.s.sets or industrial espionage.
Developers market their spyware by offering it as a tool to protect the children, when in fact their true market is people who want to spy on someone. Nowadays, the sale of spyware is driven to a great extent by people's desire to know if their spouse or significant other is cheating on them.
Shortly before I began writing the spyware story in this book, the person who receives email for me (because I'm not allowed to use the Internet) found a spam email message advertising a group of spyware products. One of the items offered was described like this: FAVORITE! MUST HAVE:.
This powerful monitoring and spy program secretly captures all keystrokes and the time and t.i.tle of all active windows to a text file, while running hidden in the background. Logs can be encrypted and automatically sent to a specified email address, or just recorded on the hard drive. Access to the program is pa.s.sword protected and it can be hidden from the CTRL+ALT+DEL menu.
Use it to monitor typed URLs, chat sessions, emails and many other things (even pa.s.swords).
Install without detection on ANY PC and email yourself the logs!
Antivirus Gap?
Antivirus software doesn't detect commercial spyware, thereby treating the software as not malicious even though the intent is to spy on other people. So the computer equivalent of wiretapping goes unnoticed, creating the risk that each of us might be under illegal surveillance at any time. Of course, the antivirus software manufacturers may argue that spyware can be used for legitimate purposes, and therefore should not be treated as malicious. But the developers of certain tools once used by the hacking community, which are now being freely distributed or sold as security-related software, are nonetheless treated as malicious code. There's a double standard here, and I'm left wondering why.
Another item offered in the same email promised to capture screen shots of the user's computer, just like having a video camera looking over his shoulder. Some of these software products do not even require physical access to the victim's computer. Just install and configure the application remotely, and you have an instant computer wiretap! The FBI must love technology.
With spyware so readily available, your enterprise needs to establish two levels of protection. You should install spyware-detection software such as SpyCop (available from www.spycop.com) on all workstations, and you should require that employees initiate periodic scans. In addition, you must train employees against the danger of being deceived into downloading a program, or opening an email attachment that could install malicious software.
In addition to preventing spyware from being installed while an employee is away from his desk for a coffee break, lunch, or a meeting, a policy mandating that all employees lock their computer systems with a screen saver pa.s.sword or similar method will substantially mitigate the risk of an unauthorized person being able to access a worker's computer. No one slipping into the person's cubicle or office will be able to access any of their files, read their email, or install spyware or other malicious software. The resources necessary to enable the screensaver pa.s.sword are nil, and the benefit of protecting employee workstations is substantial. The cost-benefit a.n.a.lysis in this circ.u.mstance should be a no-brainer.
Chapter 13.
Clever Cons By now you've figured out that when a stranger calls with a request for sensitive information or something that could be of value to an attacker, the person receiving the call must be trained to get the caller's phone number, and call back to verify that the person is really who he claims to be--a company employee, or an employee of a business partner, or a technical support representative from one of your vendors, for example.
Even when a company has an established procedure that the employees follow carefully for verifying callers, sophisticated attackers are still able to use a number of tricks to deceive their victims into believing they are who they claim to be. Even security conscious employees can be duped by methods such as the following.
THE MISLEADING CALLER ID.
Anyone who has ever received a call on a cell phone has observed the feature known as caller ID--that familiar display showing the telephone number of the caller. In a business setting, it offers the advantage of allowing a worker to tell at a glance whether the call coming in is from a fellow employee or from outside the company.
Many years ago some ambitious phone phreakers introduced themselves to the wonders of caller ID before the phone company was even allowed to offer the service to the public. They had a great time freaking people out by answering the phone and greeting the caller by name before they said a word.
Just when you thought it was safe, the practice of verifying ident.i.ty by trusting what you see--what appears on the caller ID display--is exactly what the attacker may be counting on.
Linda's Phone Call Day/Time: Tuesday, July 23, 3:12 P.M.
Place." The offices of the Finance Department, Starbeat Aviation Linda Hill's phone rang just as she was in the middle of writing a memo to her boss. She glanced at her caller ID, which showed that the call was from the corporate office in New York, but from someone named Victor Martin--not a name she recognized.
She thought of letting the call roll over to voice mail so she wouldn't break the flow of thought on the memo. But curiosity got the better of her. She picked up the phone and the caller introduced himself and said he was from PR, and working on some material for the CEO. "He's on his way to Boston for meetings with some of our bankers. He needs the top-line financials for the current quarter," he said. "And one more thing. He also needs the financial projections on the Apache project," Victor added, using the code name for a product that was to be one of the company's major releases in the spring.
She asked for his email address, but he said he was having a problem receiving email that tech support was working on, so could she fax it instead? She said that would be fine, and he gave her the internal phone extension to his fax machine.
She sent the fax a few minutes later.
But Victor did not work for the PR department. In fact, he didn't even work for the company.
Jack's Story Jack Dawkins had started his professional career at an early age as a pickpocket working games at Yankee Stadium, on crowded subway platforms, and among the night-time throng of Times Square tourists. He proved so nimble and artful that he could take a watch off a man's wrist without his knowing. But in his awkward teenage years he had grown clumsy and been caught. In Juvenile Hall, Jack learned a new trade with a much lower risk of getting nabbed.
His current a.s.signment called for him to get a company's quarterly profit and loss statement and cash flow information, before the data was filed with the Securities and Exchange Commission (SEC) and made public. His client was a dentist who didn't want to explain why he wanted the information. To Jack the man's caution was laughable. He'd seen it all before--the guy probably had a gambling problem, or else an expensive girlfriend his wife hadn't found out about yet. Or maybe he had just been bragging to his wife about how smart he was in the stock market; now he had lost a bundle and wanted to make a big investment on a sure thing by knowing which way the company's stock price was going to go when they announced their quarterly results.
People are surprised to find out how little time it takes a thoughtful social engineer to figure out a way of handling a situation he's never faced before. By the time Jack got home from his meeting with the dentist, he had already formed a plan. His friend Charles Bates worked for a company, Panda Importing, that had its own telephone switch, or PBX.
In terms familiar to people knowledgeable about phone systems, the PBX was connected to a digital telephone service known as a T1, configured as Primary Rate Interface ISDN (integrated services digital network) or PRI ISDN. What this meant was that every time a call was placed from Panda, setup and other call processing information went out over a data channel to the phone company's switch; the information included the calling party number, which (unless blocked) is delivered to the caller ID device at the receiving end.
Jack's friend knew how to program the switch so the person receiving the call would see on his caller ID, not the actual phone number at the Panda office, but whatever phone number he had programmed into the switch. This trick works because local phone companies do not bother to validate the calling number received from the customer against the actual phone numbers the customer is paying for.
All Jack Dawkins needed was access to any such telephone service. Happily his friend and sometime partner in crime, Charles Bates, was always glad to lend a helping hand for a nominal fee. On this occasion, Jack and Charles temporarily reprogrammed the company's telephone switch so that calls from a particular telephone line located on the Panda premises would spoof Victor Martin's internal telephone number, making the call appear to be coming from within Starbeat Aviation.
The idea that your caller ID can be made to show any number you wish is so little known that it's seldom questioned. In this case, Linda was happy to fax the requested information to the guy she thought was from PR.
When Jack hung up, Charles reprogrammed his company's telephone switch, restoring the telephone number to the original settings.
a.n.a.lyzing the Con Some companies don't want customers or vendors to know the telephone numbers of their employees. For example, Ford may decide that calls from their Customer Support Center should show the 800-number for the Center and a name like "Ford Support," instead of the real direct-dial phone number of each support representative placing a call. Microsoft may want to give their employees the option of telling people their phone number, instead of having everyone they call be able to glance at their caller ID and know their extension. In this way the company is able to maintain the confidentiality of internal numbers.
But this same capability of reprogramming provides a handy tactic for the prankster, bill collector, telemarketer, and, of course, the social engineer.
VARIATION: THE PRESIDENT OF THE UNITED STATES IS.
CALLING.
As co-host of a radio show in Los Angeles called "Darkside of the Internet" on KFI Talk Radio, I worked under the station's program director. David, one of the most committed and hardworking people I've ever met, is very difficult to reach by telephone because he's so busy. He's one of those people who doesn't answer a call unless he sees from the caller ID that it's someone he needs to talk to.
When I'd phone him, because I have call blocking on my cell phone, he could not tell who was calling and wouldn't pick up the call. It would roll over to voice mail, and it became very frustrating for me.
I talked over what to do about this with a long-time friend who is the cofounder of a real estate firm that provides office s.p.a.ce for high-tech companies. Together we came up with a plan. He had access to his company's Meridian telephone switch, which gives him the ability to program the calling party number, as described in the previous story. Whenever I needed to reach the program director and couldn't get a call through, I would ask my friend to program any number of my choosing to appear on the caller ID. Sometimes I'd have him make the call look as if it was coming from David's office a.s.sistant, or sometimes from the holding company that owns the station.
But my favorite was programming the call to appear from David's own home telephone number, which he always picked up. H1 give the guy credit, though.
He always had a good sense of humor about it when he'd pick up the phone and discover I had fooled him once again. The best partwas that he'd then stay on the line long enough to find out what I wanted and resolve whatever the issue was.
When I demonstrated this little trick on the Art Bell Show, I spoofed my caller ID to display the name and number of the Los Angeles headquarters of the FBI. Art was quite shocked about the whole affair and admonished me for doing something illegal. But I pointed out to him that it's perfectly legal, as long as it's not an attempt to commit fraud. After the program I received several hundred emails asking me to explain how I had done it. Now you know.
This is the perfect tool to build credibility for the social engineer. If, for example, during the research stage of the social engineering attack cycle, it was discovered that the target had caller ID, the attacker could spoof his or her own number as being from a trusted company or employee. A bill collector can make his or her calls appear to come from your place of business.
But stop and think about the implications. A computer intruder can call you at home claiming to be from the IT department at your company. The person on the line urgently needs your pa.s.sword to restore your files from a server crash. Or the caller ID displays the name and number of your bank or stock brokerage house, the pretty sounding girl just needs to verify your account numbers and your mother's maiden name. For good measure, she also needs to verify your ATM PIN because of some system problem. A stock market boiler-room operation can make their calls seem to come from Merrill Lynch or Citibank. Someone out to steal your ident.i.ty could call, apparently from Visa, and convince you to tell him your Visa card number. A guy with a grudge could call and claim to be from the IRS or the FBI.
If you have access to a telephone system connected to a PRI, plus a bit of programming knowledge that you can probably acquire from the system vendor's Web site, you can use this tactic for playing cool tricks on your friends. Know anybody with overblown political aspirations? You could program the referral number as 202 456-1414, and his caller ID will display the name "WHITE HOUSE.".
He'll think he's getting a call from the president!